Jun 13

Anatomy of a bug – the MySQL authentication disaster (patch now!) | Naked Security

You could have the hardest-to-guess password, salted and hashed thousands of times, and still be at risk.

 

That happened about a year ago at Dropbox, for instance, when the file-sharing site inadvertently removed its authentication validation altogether for a few hours. Anyone could use any password.

It’s happened again, this time with a more corporate angle.

Open source database giant MySQL (and its post-Oracle fork, MariaDB) contained a bug which meant that your password might be checked correctly only 255 out of every 256 times. One in 256 times, anything might get you in

Anatomy of a bug – the MySQL authentication disaster (patch now!) | Naked Security.